• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

pfSense and SSH Gate in one box?

P

pcm81

Senior member
Can anyone tell me if it's good or a bad idea to run SSH tunnel via the same nix server as the pfSene is installed on or should the gateway be a separate box? Looking for "best practices" type of suggestion. The main idea with SSH gate is to have only 1 port open to the internet and have a powerful machine serving SSH tunnels connecting remote client to network resources. Here are the layouts:

Internet --- pfSense (one port open to ssh server) --- SSH server === multiple tunnels to the network resources

Internet --- pfSense+SSH sever === multiple tunnels to the network


Thanks
 
Personally I like to keep firewall as a completely separate physical box. Basically it minimizes the attack surfaces. Ex: if the SSH server gets compromized then they can start also changing rules in the firewall.

Either way you should be running fail2ban or other form of brute force prevention on SSH anyway. So SSH with fail2ban on pfsense would probably be fine, it's just that I prefer keeping it separate.
 
Red Squirrel said:
Personally I like to keep firewall as a completely separate physical box. Basically it minimizes the attack surfaces. Ex: if the SSH server gets compromized then they can start also changing rules in the firewall.

Either way you should be running fail2ban or other form of brute force prevention on SSH anyway. So SSH with fail2ban on pfsense would probably be fine, it's just that I prefer keeping it separate.
Click to expand...

Thanks. That is what I was thinking too. Two separate boxes would probably suit my network infrastructure better any-ways. Do you think failtoban is a good tool? It makes perfect sense if the SSH is password protected, but what about 2048-bit RSA authentication with password disabled?
 
sdifox said:
Or just vm both
Click to expand...
NNNNNOOOOOOOOO000000000ooooooooo

If the ssh gate is VM, that means the same port is open on it's parent machine, so what's the point of VM if the parent is open to attacks too. If firewall is running in VM that means there is the parent OS essentially running parallel to VM over those two same Ethernet ports, hence giving a second, parallel AND POSSIBLY LESS SECURE route for traffic...
 
pcm81 said:
NNNNNOOOOOOOOO000000000ooooooooo

If the ssh gate is VM, that means the same port is open on it's parent machine, so what's the point of VM if the parent is open to attacks too. If firewall is running in VM that means there is the parent OS essentially running parallel to VM over those two same Ethernet ports, hence giving a second, parallel AND POSSIBLY LESS SECURE route for traffic...
Click to expand...

Ports can be dedicated to vms. Doesnt have to be open to host.
 
I would not VM a firewall, I know lot of people do it, but just seems dirty to me. You want the network physically split by hardware. I don't like the idea of an internal server having any port that is directly connected to the internet. A misconfiguration or glitch could expose the whole server or other internal VM instead of just the VM you want.

Same with people who VM storage, I really don't see the point of that, you still need physical storage to put the VMed storage on...
 
Red Squirrel said:
I would not VM a firewall, I know lot of people do it, but just seems dirty to me. You want the network physically split by hardware. I don't like the idea of an internal server having any port that is directly connected to the internet. A misconfiguration or glitch could expose the whole server or other internal VM instead of just the VM you want.

Same with people who VM storage, I really don't see the point of that, you still need physical storage to put the VMed storage on...
Click to expand...
As sdifox mentioned, you can dedicate NICs to VMs to eliminate the management OS from the equation. Looping the NIC, even to another NIC within the same host, is "splitting by hardware" while lowering the cost of requiring an overpriced appliance with sh***y support *cough*cisco*cough*.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top